Why your access control vendor needs to be familiar with DIACAP

Thu, 2014-05-01 11:03 PM

Robert Laughlin

As you may be aware, the Department of Defense Information Assurance Certification and Accreditation Process, better known as DIACAP, regulates the implementation of risk management for information systems. What you may not know is that not all DIACAP certifications are created equal. Understanding this accreditation process, how the certification is achieved and what it signifies -- or working with an integration specialist who has this expertise -- will help your agency make the best possible decision in choosing an access control or other security solution.

The government’s network is potentially vulnerable to outside threats, since without sufficient security measures in place it can be entered by using any vendor’s networked software or hardware. For any product that will be integrated with the government’s network, both end-users and integrators can depend on DIACAP certification as an indication of extremely high security. More important, DIACAP-knowledgeable integrators know that a product that carries this certification along with the ATO, or Authority to Operate, that is awarded to DIACAP-certified products, is in full compliance with any DoD agency nationwide. In other words, no additional validation would be necessary before specifying one of these products to be installed in any government facility.

When an integrator finds traction in DoD projects by working with a provider who has DIACAP certification, they can obtain a Certificate of Net worthiness, or CON by sharing their ATO document with an agency. This is the flip side of an ATO; it communicates to all DoD agencies that this product or provider has been tested and vetted and certified. It enables other agencies to work immediately with that integrator to deploy the provider’s products without re-testing or the need to obtain an individual ATO from each additional agency. The ATO is not transferrable, but once a provider has an ATO for one agency, it can participate in projects across all of that agency’s locations and bases.

The ATO provides tremendous value to users and integrators alike even beyond the DoD community. For example, when looking to deploy an access control solution, security personnel at the Department of Energy utility CenterPoint Energy became aware that Galaxy Control Systems holds an ATO from the DoD. While CenterPoint is subject to NERC compliance laws, the ATO requirements are even more stringent than NERC -- which made their choice of Galaxy a simple one to make.

It is important to note that most providers are certified with caveats, for example that they may deploy their system but only if there is a separate firewall installed, or with some other form of exception. Integrators should be aware of each of these caveats and how they relate to providers and potential deployments, to help keep the process free from complications or delays. Galaxy planned for this possibility by sending their software and hardware engineers to the lab during the testing process. The team literally re-developed the software on-site that same day so that it could be rescanned and pass with a clean report. Based on this, Galaxy was awarded their ATO with no caveats.

Some providers, like Galaxy, may be sponsored by a government agency, providing additional advantages. Under their sustainment program, every new piece of Galaxy hardware or software will be tested automatically. This assures both users and integrators that they always have access to the newest technology from Galaxy under their ATO. Some providers who must pay for their ATOs may not choose to update them for each new innovation, meaning government users would not always have their newest offerings.

For integrators, working with any provider who can attain this level of certification delivers a significant competitive advantage. Galaxy has current projects with a number of major defense contractors. Knowing that Galaxy has the ATO assures contractors that they can bring Galaxy in on the most complex and demanding project knowing they will have a positive outcome. The fact that Galaxy has this ATO -- with no caveats and high level personnel with Top Secret and Program Level Clearances -- creates even more confidence both for their resellers and for end-users. It’s a tremendous validation of quality to bring to government applications.

Robert Laughlin is president of Walkersville, MD-based Galaxy Control Systems, a manufacturer of integrated access control, video, and security solutions.

HID Global is opening the door to a new era of security and convenience. Powered by Seos technology, the HID Mobile Access solution delivers a more secure and convenient way to open doors and gates, access networks and services, and make cashless payments using phones and other mobile devices. ...

Mobile device forensics can make a difference in many investigations, but you need training that teaches you how to get the most out of your mobile forensics hardware and software, and certifies you to testify in court. Read this white paper to learn how to evaluate mobile forensics training...

PureTech Systems is a software company that develops and markets PureActiv, its geospatial analytics solution designed to protect critical perimeters and infrastructure. Its patented video analytics leverage thermal cameras, radars and other perimeter sensors to detect, geo-locate, classify, and...